View previous topic :: View next topic |
Author |
Message |
sullx Cheater Reputation: 0
Joined: 03 Jan 2013 Posts: 37
|
Posted: Sat Jan 19, 2013 1:17 am Post subject: Changing EIP register with LUA is not reproducing |
|
|
I can inject some code manually with auto assembler and then I right click the address I am interested in and change the eip register to point to my newly allocated memory, which operates and then jumps back to where it left off.
I am trying to automate this with lua and this is what I have
Code: | script=[[
globalalloc(newmem,20) //2kb should be enough
newmem:
fstp dword ptr [edi+000000A0]
add dword ptr [edi+000000A0],CD0000
jmp 0054E708
]]
autoAssemble(script);
print( string.format( '%x', getAddress("newmem") ) );
function debugger_onBreakpoint()
EIP=string.format( '%x', getAddress("newmem") );
debug_continueFromBreakpoint(co_run)
end
reinitializeSymbolhandler()
debugProcess()
debug_setBreakpoint("0054E702")
|
This moves the EIP to the newly allocated memory but in a different way. When I do it manually, the game is fine and it works perfect. When I do it using EIP=getAddress as above, the game crashes. What's going on?
Thanks
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 457
Joined: 09 May 2003 Posts: 25262 Location: The netherlands
|
Posted: Sat Jan 19, 2013 4:09 am Post subject: |
|
|
In this case EIP is a numeric value, not a string.
So EIP=getAddress("newmem")
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
sullx Cheater Reputation: 0
Joined: 03 Jan 2013 Posts: 37
|
Posted: Sat Jan 19, 2013 12:58 pm Post subject: |
|
|
Unfortunately, that doesnt work because getAddress returns the address of newmem in decimal. So i Need to convert the address to hex which it does and I can also verify that the eip is changed to the hex addres I want it to after I convert from decimal by printing out the eip. But it crashes the game..
What's going on?
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 457
Joined: 09 May 2003 Posts: 25262 Location: The netherlands
|
Posted: Sat Jan 19, 2013 1:36 pm Post subject: |
|
|
EIP is also a decimal, so do not convert it to hex
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
sullx Cheater Reputation: 0
Joined: 03 Jan 2013 Posts: 37
|
Posted: Sat Jan 19, 2013 2:38 pm Post subject: |
|
|
OK, you are right. But even still, the EIP= is not behaving the way the Change register on breakpoint is. I have recorded a small video to show the exact difference.
hxxp://youtu.be/Dr8Oq5Tj2CU (change x's to t's)
Essentially, what I have done is toggled a breakpoint and changed the eip register at that point to the next opcode, effectively jumping over the operation at the breakpoint. This works just fine when I do it manually as you can see the minesweeper timer pause until I untoggle the breakpoint. When I perform the exact same operation via LUA, there is completely different behavior. The timer gets reset to zero and sometimes -99.
Is the Change register at breakpoint coded differently than EIP=Address? Also, I have set the EIP address with Hex in the video, but I have also done it using Dec and reproduced the same results as above.
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 457
Joined: 09 May 2003 Posts: 25262 Location: The netherlands
|
Posted: Sat Jan 19, 2013 3:16 pm Post subject: |
|
|
Try instead of
For some reason the first one doesn't error out, but sets the value to nil
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
sullx Cheater Reputation: 0
Joined: 03 Jan 2013 Posts: 37
|
Posted: Sat Jan 19, 2013 3:20 pm Post subject: |
|
|
Thanks DarkByte,
But unfortunately, adding 0x to the memory address didn't work either, it still nils the value out when I use LUA, which makes me believe that its not actually changing the eip to the next opcode in the same way that using the 'Change register at this location' does.
-- edit --
I am going to look at the CE source and see if I can't figure out what's the difference is.
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 457
Joined: 09 May 2003 Posts: 25262 Location: The netherlands
|
Posted: Sat Jan 19, 2013 4:19 pm Post subject: |
|
|
I just checked the source and your video closer.
You're using it on a 64-bit application, so instead of EIP, use RIP (EIP does not exist to lua when debugging a 64-bit program)
sourcecode in luahandler.pas:
Code: |
lua_getglobal(luavm, 'RIP');
context.RIP:=lua_tointeger(luavm, -1);
|
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
sullx Cheater Reputation: 0
Joined: 03 Jan 2013 Posts: 37
|
Posted: Sat Jan 19, 2013 4:48 pm Post subject: |
|
|
Brilliant, ip-16bit, eip-32bit, rip-64bit. Had no idea! I was getting that sense when looking through frmModifyRegistersUnit.pas as there are different declarations for 64bit. But I probably wouldn't have put it together for a while.
Thank you!
|
|
Back to top |
|
|
|